Apply on Employer Site

Coastal · 3 days ago

Director of Cybersecurity Governance, Risk & Compliance

United States

Full-time

Onsite

Senior Level, Lead/Staff

$195K/yr - $230K/yr

10+ years exp

Coastal is at the forefront of modern banking, combining strong financial infrastructure with cutting-edge Banking-as-a-Service and fintech enablement strategies. The Director of Cybersecurity Governance, Risk & Compliance will lead the Security GRC function, manage a team, and oversee Third Party Risk Management, security governance, and regulatory compliance to ensure the overall health of Coastal's Security Program.

Financial Services

Responsibilities

Lead the Security GRC team responsible for Third Party Risk Management, control governance and testing, Business Continuity Management, and access governance

Set the vision, roadmap, and priorities for the Security Program in partnership with the CISO, other Security & IT functions, and Enterprise Risk Management

Mentor and develop team members. Define clear goals, performance expectations, and development plans

Act as a key advisor to security and business leadership on cyber and technology risk posture, tradeoffs, and remediation priorities

Own the Security Program and ensure that regulatory, contractual, and internal security requirements are satisfied across the enterprise and BaaS/fintech ecosystem

Define and maintain the enterprise control baseline mapped to the NIST CSF, CRI Profile, and FFIEC IT Examination Handbooks, aligning with GLBA, SOX, and PCI-DSS where applicable

Author and approve control narratives, RACI, evidence requirements, testing procedures, and control objectives. Author and maintain cybersecurity governance documents, such as policies and standards

Work with technical control owners to implement processes and automations aligned to written controls, policies, and standards

Champion 'policy as code' and guardrails (e.g., identity, configuration, network segmentation, logging/monitoring) in partnership with Security Engineering and IT

Oversee targeted cyber/IT risk assessments for technology changes, third parties, products, and fintech programs and ensure clear articulation of inherent and residual risk

Maintain a centralized log of issues, control gaps, and remediation plans; ensure sustainable fixes and prevent recurrences by updating baselines, standards, and automation

Partner with Enterprise Risk Management on risk acceptance, watch lists, and aggregation of security risks into enterprise risk reporting

Own the design and execution of access certification campaigns across key systems and applications (e.g., core banking, identity platforms, cloud, fintech partner integrations)

Own the Third Party Risk Management (TPRM) program for vendors who provide services to the Bank

Define and maintain risk-based onboarding, due diligence, and ongoing monitoring processes for third parties

Lead cybersecurity reviews of fintech partners, including evaluation of controls, data flows, architecture, and shared-responsibility models

Partner with Procurement, Legal, and Business Lines to ensure contracts and SLAs reflect appropriate security, privacy, and resilience requirements

Track remediation of vendor and fintech security issues and report status and residual risk to stakeholders and governance committees

Own the Business Continuity Management Program execution for the Bank in coordination with key stakeholders. Ensure business impact analyses (BIA), recovery strategies, plans, and playbooks are defined, maintained, and tested for critical business processes and supporting technologies

Plan and coordinate BCP/DR exercises, including lessons-learned reviews and remediation tracking

Provide reporting on resilience posture, RTO/RPO alignment, and program maturity to senior management and risk committees

Lead preparation and responses for Internal Audit activities, regulatory examinations, independent audits, and customer/partner due diligence related to security, IT, and BCM

Produce concise, defensible narratives, control maps, and evidence packages. Coordinate requests and brief stakeholders before and during exams

Track and oversee remediation of exam and audit findings and report progress to management and risk committees

Publish program health dashboards, KRIs/KPIs, and control maturity assessments to Enterprise Risk Management, management, and risk committees

Coach control owners on expectations, testing methods, evidence hygiene, and automation opportunities

Promote a culture of control excellence, continuous improvement, and proactive risk management across the Bank

Qualification

Cybersecurity GovernanceRisk ManagementCompliance ProgramsThird Party Risk ManagementNIST CSFFFIEC IT Examination HandbooksBusiness Continuity ManagementControl FrameworksAutomation SkillsPythonTypeScriptBashPowerShellAzureMicrosoft 365OktaWindowsLinuxCI/CDVulnerability ManagementEDRLogging/SIEMData ProtectionGRC PlatformsCommunication SkillsEmotional IntelligenceTeam LeadershipProblem SolvingAdaptabilityAttention to Detail

Required

Demonstrated ability to operationalize the FFIEC IT Examination Handbooks, NIST CSF, and the CRI Profile into practical, auditable controls and testing procedures

Proven experience owning or leading Third Party Risk Management, control frameworks, and/or Business Continuity Management programs in a regulated environment

Hands-on skill implementing proactive controls and automating control testing/evidence collection using APIs, various languages (Python, TypeScript, Bash, and/or PowerShell), and data pipelines/dashboards

Familiarity with Azure/Microsoft 365/Entra, Okta, Windows/Linux, networks, CI/CD, vulnerability management, EDR, logging/SIEM, and data protection

Experience with GRC platforms and workflow/ticketing systems

Strong understanding of FFIEC IT Examination Handbooks, NIST CSF, NIST SP 800-53, GLBA, SOX, and PCI DSS and ability to map and rationalize overlapping requirements

Excellent written/oral communication with proven ability to influence cross-functional teams and present to management, auditors, regulators, and fintech partners

Bias for automation and measurable outcomes

Comfortable in fast-moving, high-accountability settings

10+ years in Cybersecurity Risk, Governance, Compliance, Security Operations, and/or risk engineering. Experience in regulated industries, especially financial services, strongly preferred

3+ years managing a Cybersecurity Risk, Governance, and Compliance team

Bachelor's degree in Information Systems, Computer Science, Cybersecurity, or related field; equivalent experience considered

Preferred

Certifications preferred: CRISC, CISA, CISSP, CISM, CCSK/CCSP, AZ-500 (or comparable)

Benefits

Medical Coverage: Choose from three competitive medical plans to find the coverage that best fits your needs and lifestyle.

Health Savings Account (HSA): Available with eligible medical plans, offering tax advantages and employer contributions.

Flexible Spending Accounts (FSA): Options for healthcare and dependent care expenses to help you save on out-of-pocket costs.

Dental and Vision Insurance: Plans to keep you and your family smiling and seeing clearly.

Life Insurance: Company-paid basic life insurance with options to purchase additional coverage for yourself and your dependents.

Long-Term /Short-Term Disability (LTD): Income protection in the event of a long-term illness or injury.

Supplemental Benefits: Including Hospital Indemnity, Accident Insurance, and Critical Illness coverage to provide extra financial support when you need it most.

401(k) Retirement Plan: A competitive retirement savings plan with company matching to help you plan for the future.

Paid Time Off: Generous vacation and sick leave policies to support your time away from work.

Holidays: Enjoy 11 paid holidays throughout the year.